core: dt: fix inline description for _fdt_get_status()

Fix _fdt_get_status() inline desciption comment as the function
never returns a negative value reporting some kind of error case.

Signed-off-b

core: dt: fix inline description for _fdt_get_status()

Fix _fdt_get_status() inline desciption comment as the function
never returns a negative value reporting some kind of error case.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: lpae: allocate one more translation table for ASLR

Depending on the ASLR seed, the MMU code may run out of translation
tables and panic. For instance with seed = 0x71dfb000 in init_mem_map()
t

core: lpae: allocate one more translation table for ASLR

Depending on the ASLR seed, the MMU code may run out of translation
tables and panic. For instance with seed = 0x71dfb000 in init_mem_map()
the following crash is reproducible:

D/TC:0 core_mmu_entry_to_finer_grained:761 xlat tables used 7 / 7
...
D/TC:0 tee_entry_exchange_capabilities:102 Dynamic shared memory is enabled
E/TC:0 0 Panic 'Failed to spread pgdir on small tables' at core/arch/arm/mm/core_mmu.c:1739 <core_mmu_map_pages>
E/TC:0 0 TEE load address @ 0x7fefb000
E/TC:0 0 Call stack:
E/TC:0 0 0x000000007ff06688 print_kernel_stack at optee_os/core/arch/arm/kernel/unwind_arm64.c:79
E/TC:0 0 0x000000007ff13d24 __do_panic at optee_os/core/kernel/panic.c:24
E/TC:0 0 0x000000007ff083d8 core_mmu_map_pages at optee_os/core/arch/arm/mm/core_mmu.c:1719
E/TC:0 0 0x000000007ff0cf8c mobj_reg_shm_inc_map at optee_os/core/arch/arm/mm/mobj_dyn_shm.c:200
E/TC:0 0 0x000000007ff0d5a0 mobj_inc_map at optee_os/core/arch/arm/include/mm/mobj.h:92
E/TC:0 0 0x000000007ff03960 map_cmd_buffer at optee_os/core/arch/arm/kernel/thread_optee_smc.c:128

Fix the issue by allocating one more translation table when CFG_ASLR=y.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Bad assert in fat_entry_dir_update()

Fix an assert in fat_entry_dir_update() that always fires when updating
fat entries other than the first element in the cache.

Signed-off-by: Neil Shipp <

core: Bad assert in fat_entry_dir_update()

Fix an assert in fat_entry_dir_update() that always fires when updating
fat entries other than the first element in the cache.

Signed-off-by: Neil Shipp <neilsh@microsoft.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: include parity in DES/DES3 key sizes

Update from GP 1.0 the parity bits are now included in the DES and DES3
key sizes. This is an incompatible change where 56, 112 and 168 key sizes
are repla

core: include parity in DES/DES3 key sizes

Update from GP 1.0 the parity bits are now included in the DES and DES3
key sizes. This is an incompatible change where 56, 112 and 168 key sizes
are replaced with 64, 128 and 192 respectively.

This changes the ABI in a way that it's not enough even to recompile the
TA. In order to maintain backwards compatibility the configuration flag
CFG_COMPAT_GP10_DES is introduced (default y). The presence of the
parity bits is autodetected and this update is transparent to a TA which
hasn't been updated.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_asymm_verify(): accurate DSA parameter check

A comment in syscall_asymm_verify() reads:
"Depending on the DSA algorithm (NIST), the digital signature output
size may be truncated to th

core: syscall_asymm_verify(): accurate DSA parameter check

A comment in syscall_asymm_verify() reads:
"Depending on the DSA algorithm (NIST), the digital signature output
size may be truncated to the size of a key pair (Q prime size). Q prime
size must be less or equal than the hash output length of the hash
algorithm involved."

Instead of just assuming that Q size is small when data length is
smaller than the hash, check that it's the case also. Don't allow data
length smaller than both hash size and Q size.

Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Provide TEE_ATTR_FLAG_VALUE and TEE_ATTR_FLAG_PUBLIC

Provides TEE_ATTR_FLAG_VALUE and TEE_ATTR_FLAG_PUBLIC which are defined
already in GP v1.0 [1] and also expected in GP v1.1 [2]. The old
TEE_ATTR

Provide TEE_ATTR_FLAG_VALUE and TEE_ATTR_FLAG_PUBLIC

Provides TEE_ATTR_FLAG_VALUE and TEE_ATTR_FLAG_PUBLIC which are defined
already in GP v1.0 [1] and also expected in GP v1.1 [2]. The old
TEE_ATTR_BIT_VALUE and TEE_ATTR_BIT_PROTECTED are kept for backwards
compatibility for now.

[1]: GlobalPlatform TEE Internal API Specification v1.0
[2]: GlobalPlatform TEE Internal Core API Specification v1.1

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: use C locale when generating the build date

The build date included in the version string depends on the current
locale (language), which is not very good. Force LANG=C so that english
abbrevi

core: use C locale when generating the build date

The build date included in the version string depends on the current
locale (language), which is not very good. Force LANG=C so that english
abbreviations are used for the day and month.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: imx_i2c: early_init

When i2c SE elements (crypto providers) are enabled, the driver
requires early initialization. This should be made the default
scenario for drivers with this use case

S

drivers: imx_i2c: early_init

When i2c SE elements (crypto providers) are enabled, the driver
requires early initialization. This should be made the default
scenario for drivers with this use case

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: configuration switches to tune stack sizes

Enabling certain configuration options might increase the TMP and
THREAD stack requirements.

This commit defines CFG_ options so that the sizes of t

core: configuration switches to tune stack sizes

Enabling certain configuration options might increase the TMP and
THREAD stack requirements.

This commit defines CFG_ options so that the sizes of those two stacks
can be fine tuned at build time.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: check that certain object attributes are consistent with max key size

When populating a crypto object check that certain attributes are
consistent with maximum key size. For example the attrib

core: check that certain object attributes are consistent with max key size

When populating a crypto object check that certain attributes are
consistent with maximum key size. For example the attribute
TEE_ATTR_DSA_PRIME must not have more significant bits than max key
size. All these attributes are flagged with TEE_TYPE_ATTR_BIGNUM_MAXBITS
and tee_svc_cryp_obj_populate_type() is updated as needed.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: check that object attributes for current usage are relevant

When populating or generating a key the relevant attributes can differ.
Some attributes are parameters for the key generation.

Upda

core: check that object attributes for current usage are relevant

When populating or generating a key the relevant attributes can differ.
Some attributes are parameters for the key generation.

Updates tee_svc_cryp_check_attr() and object type descriptions to be
accurate.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: check max key size when populating object

Checks that attributes are within the bounds defined by the max key size
which was supplied when the object was allocated.

Acked-by: Etienne Carriere

core: check max key size when populating object

Checks that attributes are within the bounds defined by the max key size
which was supplied when the object was allocated.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix calculation of DES key size

Prior to this patch was the parity bits included when calculating the
key size for DES keys. Fix this by subtracting the parity bits.

Acked-by: Etienne Carrier

core: fix calculation of DES key size

Prior to this patch was the parity bits included when calculating the
key size for DES keys. Fix this by subtracting the parity bits.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_obj_get() return TEE_ERROR_BAD_STATE

Updates tee_obj_get() to return TEE_ERROR_BAD_STATE when an object
reference can't be found. This will allow the GP TA API to panic the
caller as requi

core: tee_obj_get() return TEE_ERROR_BAD_STATE

Updates tee_obj_get() to return TEE_ERROR_BAD_STATE when an object
reference can't be found. This will allow the GP TA API to panic the
caller as required in the GP spec [1].

[1] GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_obj_generate_key() check public rsa exponent

The v1.1 spec [1] requires that the NIST SP800-56B [2] rules to be
followed when generating an RSA key.

Adds a check when generating a RSA

core: syscall_obj_generate_key() check public rsa exponent

The v1.1 spec [1] requires that the NIST SP800-56B [2] rules to be
followed when generating an RSA key.

Adds a check when generating a RSA key that the supplied exponent confirms
with the requirements in NIST SP800-56B, thas is, the key must be odd and
in the range 65537 <= e < 2^256.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Link [2]: https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_cryp_obj_alloc(): allow TEE_TYPE_DATA for transient objects

GP 1.1 spec [1] explicitly allows creation of TEE_TYPE_DATA object. So
update syscall_cryp_obj_alloc() accordingly.

[1]: G

core: syscall_cryp_obj_alloc(): allow TEE_TYPE_DATA for transient objects

GP 1.1 spec [1] explicitly allows creation of TEE_TYPE_DATA object. So
update syscall_cryp_obj_alloc() accordingly.

[1]: GlobalPlatform TEE Internal Core API Specification v1.1
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: dt: discover_nsec_memory(): consider only non-secure memory

QEMU has a /secram@e000000 DT node with secure-status = "okay" and
status = "disabled", in other words: some secure-only memory is
d

core: dt: discover_nsec_memory(): consider only non-secure memory

QEMU has a /secram@e000000 DT node with secure-status = "okay" and
status = "disabled", in other words: some secure-only memory is
described in the DT. Memory that is not accessible from non-secure
world should not be added to the nsec map. Unfortunately, the commit
referenced below inadvertently added such memory, resulting in a panic
on boot:

I/TC: Non-secure external DT found
E/TC:0 0 check_phys_mem_is_outside:332 Non-sec mem (0xe000000:0x100000) overlaps map (type 14 0xe000000:0x100000)
E/TC:0 0 Panic at core/arch/arm/mm/core_mmu.c:336 <check_phys_mem_is_outside>

Change the DT status test to consider only memory accessible from non-
secure and secure world. Also, rename a couple of functions to make their
purpose clear.

Fixes: 721619e8890e ("core: Parse all memory DT nodes")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat: rcar: Enable parsing DT from TFA

Enable support for reading and processing DT passed in by TFA,
this is useful to read out the DRAM configuration and layout.

Signed-off-by: Marek Vasut <marek

plat: rcar: Enable parsing DT from TFA

Enable support for reading and processing DT passed in by TFA,
this is useful to read out the DRAM configuration and layout.

Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: Parse all memory DT nodes

The current code for parsing /memory* DT nodes does not work at all
on systems with multiple memory nodes. The code cannot handle e.g.

/ {
memory@480000000 {
r

core: Parse all memory DT nodes

The current code for parsing /memory* DT nodes does not work at all
on systems with multiple memory nodes. The code cannot handle e.g.

/ {
memory@480000000 {
reg = <0x00000000 0x48000000 0x00000000 0x78000000>;
device_type = "memory";
};
memory@600000000 {
reg = <0x00000006 0x00000000 0x00000000 0x80000000>;
device_type = "memory";
};
};

This patch fixes the code such that it iterates over all enabled
memory nodes instead of reading out the first /memory node only.
The code iterates over the DT twice, which is faster than constant
calls to realloc() to allocate more entries in core_mmu_phys_mem().

Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: dt: Repair type in _fdt_reg_size()

The function returns ssize_t , while DT_INFO_INVALID_REG is paddr_t,
fix the type.

Fixes: c0cfb36c ("core: dt: introduce _fdt_fill_device_info()")
Signed-of

core: dt: Repair type in _fdt_reg_size()

The function returns ssize_t , while DT_INFO_INVALID_REG is paddr_t,
fix the type.

Fixes: c0cfb36c ("core: dt: introduce _fdt_fill_device_info()")
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind

core: strict buffer check in syscalls following GP 1.1

GP 1.1 [1] and also earlier specifications has certain annotation in the
description of API functions to among other things describe which kind
of memory a buffer is required to reside in. It could be readable,
writeable, in shared memory in TA private memory.

The following syscalls are updated with slightly stricter checks with
regards to TA private memory where needed:
- syscall_open_ta_session()
- syscall_invoke_ta_command()
- syscall_get_time()
- syscall_set_ta_time()
- syscall_cryp_obj_get_info()
- syscall_cryp_random_number_generate()
- syscall_authenc_dec_final()
- syscall_storage_next_enum()
- syscall_storage_obj_read()
- syscall_storage_obj_write()

[1]: GlobalPlatform TEE Internal Core API Specification v1.1

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV

In order for tee_mmu_check_access_rights() to be able to identify ldelf
mappings as TA private remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV. This
is ne

core: remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV

In order for tee_mmu_check_access_rights() to be able to identify ldelf
mappings as TA private remove VM_FLAG_LDELF from VM_FLAGS_NONPRIV. This
is needed for the more strict check of the memory location of ret_orig
in syscall_open_ta_session() and syscall_invoke_ta_command().

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add copy_{to,from}_private()

Adds the copy_{to,from}_private() functions which checks that the user
mode buffer resides in TA private memory and not non-secure shared
memory for instance.

Rev

core: add copy_{to,from}_private()

Adds the copy_{to,from}_private() functions which checks that the user
mode buffer resides in TA private memory and not non-secure shared
memory for instance.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome

core: separate copy_from_user() and friends

Removes the tee_svc_ prefix and moves tee_svc_copy_from_user() and
friends into <kernel/user_access.h> and core/kernel/user/access.c

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: fix build warning

Compiler warns about comparison of integer expressions of different
signedness. This causes build failures when error on warning is enabled.

Signed-off-by: Jorge Ra

drivers: caam: fix build warning

Compiler warns about comparison of integer expressions of different
signedness. This causes build failures when error on warning is enabled.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...